How to stop setfacl from making my directory writable for group?

Question

I have a group called webdev and I want only the root and the memebers of the group webdev to have write access on the directory /web. Now, Here's the problem:

# chmod -R u=rwX,go=rX /web
# ls -l /web
total 4
-rw-r--r--. 1 root root 165 Mar  8 12:29 index.html
# ls -ld /web
drwxr-xr-x. 2 root root 24 Mar  8 12:34 /web
# setfacl -R -m g:webdev:rwX /web
# ls -ld
drwxrwxr-x+ 2 root root 24 Mar  8 12:34 .
# getfacl /web
getfacl: Removing leading '/' from absolute path names
# file: web
# owner: root
# group: root
user::rwx
group::r-x
group:webdev:rwx
mask::rwx
other::r-x

So, the moment I allow the group webdev write permissions on the folder, ls -ld shows that my folder is now writable for group root. However, this is contradicted by the output of getfacl /web, where, group still has the (correct) permissions r-x. So, what's going on?

score 3 · Accepted Answer · answered Mar 09 '18 at 07:03

3

ls -ld shows that my folder is now writable for group root.

Wrong.

It shows, with the + symbol in that position, that the file has ACLs.

Since the file has ACLs, the meaning of the middle three permissions letters displayed by ls is the mask, not the file-group permissions.

View extended ACL for a file with '+' in ls -l output
Winfried Trümper (1999-02-28). Summary about Posix.1e
Portable Applications Standards Committee of the IEEE Computer Society (October 1997). Draft Standard for Information Technology—Portable Operating System Interface (POSIX)—Part 1: System Application Program Interface (API)— Amendment #: Protection, Audit and Control Interfaces [C Language] IEEE 1003.1e. Draft 17.
Craig Rubin (1989-08-18). Rationale for Selecting Access Control List Features for the Unix System. NCSC-TG-020-A. DIANE Publishing. ISBN 9780788105548.

answered Mar 09 '18 at 07:03

JdeBP

68,745

2

In other words, when ACLs are used, the middle three permission letters become sort of a summary of any non-owner, non-world access the file has. In your example, when you see "drwxrwxr-x+", you should be thinking "owher has full access, world has read-only access, and one or more people or groups also has full access, have to check the ACL to know the details." – telcoM Mar 09 '18 at 07:23
1

Those other words are not fully correct, however. The mask is not a summary. It is auto-updated by some tools, but it is a separately controllable access control entry in its own right and not a summary of other entries. It is, after all, a mask. – JdeBP Mar 09 '18 at 07:40
1

Oops, I forgot that detail (too used to those auto-updating tools I guess). So substitute "has" with "may have". So, if a directory with an ACL has the middle three permission letters as r--, then you know for certain that any ACLs it currently has can only have the effect of giving extra read access, not write or execute access. (Whether because of the masking effect or because of the tools auto-updating the mask, this fact remains true and possibly useful.) – telcoM Mar 09 '18 at 09:14

How to stop setfacl from making my directory writable for group?

1 Answers1

Further reading